b"U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n              UNITED STATES PATENT\n\n             AND TRADEMARK OFFICE \n\n\n        Independent Evaluation of USPTO\xe2\x80\x99s\n    Information Security Program Under the\nGovernment Information Security Reform Act\n\n                              Executive Summary\n\n\n   Final Inspection Report No. OSE-15250/September 2002\n\n\n\n\n                             PUBLIC\n                             RELEASE\n\n\n\n                           Office of Systems Evaluation\n\n\x0cU.S. Department of Commerce                                                                      Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                                                         September 2002\n\n\n\n\n\n                                                    TABLE OF CONTENTS\n\n\nINTRODUCTION .......................................................................................................................... 1 \n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY........................................................................ 2 \n\n\nFINDINGS...................................................................................................................................... 4\n\n\nI.\t   USPTO Should Report Information Security as a Material Weakness................................... 4\n\n\nII.\t USPTO\xe2\x80\x99s Top Leadership Has Made a Commitment to Improving Information Security..... 4\n\n     A. Long-standing Information Security Weaknesses Require Senior Management \n\n        Attention............................................................................................................................ 4 \n\n     B. The Director Is Taking Action to Support Information Security Improvements .............. 5\n\n\nIII.\t Incident Response Reporting and Handling Procedures Are Being Revised.......................... 6\n\n\nIV.\t USPTO Program Officials and CIO Need to Ensure That Management Controls Are Fully\n\n     Implemented............................................................................................................................ 6 \n\n     A. Risk Assessments Have Not Been Completed, Security Plans Are Outdated, and \n\n         Controls Have Not Been Tested........................................................................................ 7 \n\n     B.\t Systems Are Not Accredited ............................................................................................ 7 \n\n     C. USPTO Is Taking Steps to Strengthen Management Controls ......................................... 8\n\n\nV. \t Improvements Are Needed in USPTO-Wide Security Program Implementation, Life Cycle \n\n     Management, Training, and Capital Investment Planning ...................................................... 9 \n\n     A. Policies and Procedures Exist but Often Are Not Implemented ....................................... 9 \n\n     B. Life Cycle Management Deficiencies Should Be Corrected............................................. 9 \n\n     C. Information Security Awareness, Training, and Education Need Improvement ............ 10 \n\n     D. Information Security Requirements Should Be Identified in Capital Asset Plans and \n\n        Linked to Security Cost Estimates .................................................................................. 11 \n\n     E. USPTO Is Taking Action to Improve Security Program Implementation, Life Cycle \n\n        Management, Training, and Capital Investment Planning .............................................. 11\n\n\nVI.\t Information Security Requirements Need to Be Included in USPTO\xe2\x80\x99s Information \n\n     Technology Service Contracts............................................................................................... 12\n\n\nVII. USPTO\xe2\x80\x99s Corrective Action Plan Establishes a Solid Foundation for Improving Information \n\n     Security ............................................................................................................................... 13 \n\n\x0cU.S. Department of Commerce                                                 Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                                    September 2002\n\n\n                                            INTRODUCTION \n\n\nThe Government Information Security Reform Act (GISRA), Title X, subtitle G, of the 2001\nDefense Authorization Act (P.L. 106-398) was signed into law on October 30, 2000. This law\ncontains a subchapter that primarily addresses managing, implementing, overseeing, and\nensuring the security of unclassified and national security information systems.\n\nGISRA requires (1) annual agency program reviews; (2) annual independent OIG evaluations;\n(3) agency reporting of the results of OIG evaluations to the Office of Management and Budget\n(OMB); and (4) an annual OMB report to Congress summarizing the agency materials received.\n\nIn accordance with OMB guidance, agency heads are to transmit to OMB both OIG\xe2\x80\x99s\nindependent evaluation and the agency\xe2\x80\x99s program review along with fiscal year budget materials.\nAs a performance-based organization, the United States Patent and Trademark Office (USPTO)\nsubmits its budget materials and information security review separate from those of the\nDepartment of Commerce. For FY01, we submitted the same independent evaluation for\nUSPTO as for the Department because our evaluation addressed the status and issues associated\nwith the Department as a whole, including USPTO. However, because USPTO is undertaking\nactions separate from the Department\xe2\x80\x99s to manage information security, we have reviewed\nUSPTO\xe2\x80\x99s information security program separately in FY02. This report summarizes the results\nof that separate review.\n\nUSPTO\xe2\x80\x99s Fiscal Year 2001 GISRA Reporting\n\nIn conducting its own FY01 GISRA review, USPTO used NIST\xe2\x80\x99s Security Self-Assessment\nGuide for Information Technology Systems,1 as recommended by OMB. This guide establishes\nfive levels of program effectiveness\xe2\x80\x94level 5 being the highest (see Figure 1)\xe2\x80\x94and identifies\nsteps that must be taken to achieve each assessment level.\n\n\n                 Level 1       Documented Policy\n                 Level 2       Documented Procedures\n                 Level 3       Implemented Procedures and Controls\n                 Level 4       Tested and Reviewed Procedures and Controls\n                 Level 5       Fully Integrated Procedures and Controls\n\nFigure 1. Levels of Information Security Effectiveness\n\nBased on its self-assessment, USPTO reported for FY01 that tested and reviewed information\nsecurity procedures and controls were in place for all of its systems. That is, USPTO rated itself\nat level 4, stating, \xe2\x80\x9cWith current funding levels, USPTO will meet 75 percent of level 5\n\n1\n National Institute of Standards and Technology. August 2001. Security Self-Assessment Guide for Information\nTechnology Systems, NIST Special Publication 800-26. Gaithersburg, MD: NIST.\n\n                                                       1\n\n\x0cU.S. Department of Commerce                                                   Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                                      September 2002\n\n\ncompliance of GISRA at the end of FY 2002. However, we expect to achieve 100 percent\ncompliance by the end of FY 2003.\xe2\x80\x9d\n\nIn reviewing the information supporting the self-assessment, we found that USPTO merited an\noverall score of no more than level 2, and our independent evaluation results, presented here,\nconfirm this rating. In FY02, USPTO reassessed its status and told us that, consistent with our\nevaluation, it now considers itself at level 2.\n\n                          OBJECTIVES, SCOPE, AND METHODOLOGY\n\nWe sought to determine whether USPTO\xe2\x80\x99s information security program and practices comply\nwith the requirements of GISRA, which mandates that federal agencies have effective security\nmeasures for the information resources that support their operations. Our evaluation for FY02 is\nbased on the results of the following OIG reviews and audits:\n\n        \xe2\x80\xa2\t   Additional Senior Management Attention Needed to Strengthen USPTO\xe2\x80\x99s Information\n             Security Program, Final Inspection Report No. OSE-14816/March 2002. Evaluation\n             of organization-wide information security policies and procedures, staff roles and\n             responsibilities, and the program\xe2\x80\x99s compliance with applicable laws, regulations, and\n             guidance.\n\n        \xe2\x80\xa2\t   Stronger Management Controls Needed for the Patent Application Capture and\n             Review Automated Information System, Inspection Report No. OSE-14926/August\n             2002. Evaluation of information security controls for the Patent Application Capture\n             And Review (PACR) system, which captures, stores, and maintains digital images of\n             U.S. patent applications, and retrieves and prints these documents as needed. USPTO\n             relies on the highly sensitive PACR system for day-to-day operations.\n\n        \xe2\x80\xa2\t   Improvements Needed in the General Controls Associated with USPTO\xe2\x80\x99s Financial\n             Management Systems, Audit Report No. FSD-14477-2-0001/February 2002. Audit of\n             general controls associated with the IT processing environment conducted as part of\n             OIG\xe2\x80\x99s FY01 financial statements audit. This report included a follow-up review of\n             the general controls associated with the Revenue Accounting and Management\n             System and the Federal Financial System (U.S. Geological Survey\xe2\x80\x99s standardized\n             financial system that provides financial services to USPTO), and an examination of\n             the controls over USPTO\xe2\x80\x99s public key infrastructure environment.2\n\n\n\n\n2\n A public key infrastructure enables users of an unsecured public network such as the Internet to securely and\nprivately exchange data and money through the use of a public and private cryptographic key pair that is obtained\nand shared through a trusted authority.\n\n                                                         2\n\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                         September 2002\n\n\n       \xe2\x80\xa2\t   Network Vulnerability Assessment Improvements Needed in the General Controls\n            Associated with USPTO\xe2\x80\x99s Financial Management Systems, Audit Report No. FSD\n            14477-2-0003/March 2002. Also part of OIG\xe2\x80\x99s FY01 financial statements audit, this\n            review was a limited network vulnerability assessment of USPTO\xe2\x80\x99s local area\n            network, PTONet.\n\nWe conducted our evaluation using the following criteria: NIST\xe2\x80\x99s Security Self-Assessment\nGuide for Information Technology Systems, GISRA, the Computer Security Act, and OMB\nCircular No. A-130, \xe2\x80\x9cManagement of Federal Information.\xe2\x80\x9d An OIG contractor conducted the\ngeneral control reviews of financial systems and related networks, using GAO\xe2\x80\x99s Federal\nInformation System Controls Audit Manual as a guide.\n\nThe structure and content of this report respond to guidance provided by OMB in Reporting on\nthe Government Information Security Reform Act. The report is being issued in final because it\nis based primarily on prior OIG work that has been presented in previous reports and because it\nmakes no new recommendations. We do not address critical infrastructure issues because\nUSPTO has no assets considered critical under the critical infrastructure protection program.\n\nWe performed our work in accordance with the Inspector General Act of 1978, as amended, and\nthe Quality Standards for Inspections, March 1993, issued by the President\xe2\x80\x99s Council on\nIntegrity and Efficiency.\n\n\n\n\n                                               3\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                          September 2002\n\n\n                                           FINDINGS\n\n\nI. \t USPTO Should Report Information Security as a Material Weakness\n\nGISRA requires that significant deficiencies in security policy, procedures, or practices be\nreported as material weaknesses. OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal\nAutomated Information Resources,\xe2\x80\x9d instructs agencies to identify security deficiencies pursuant\nto OMB Circular A-123, \xe2\x80\x9cManagement Accountability and Control,\xe2\x80\x9d if it is determined that\nthere is no assignment of security responsibility, no security plan, or no accreditation. The\nagency\xe2\x80\x99s decision to report a material weakness should depend on the risk and magnitude of\nharm posed by the weakness. Failure to report significant information security weaknesses could\nresult in the failure to mitigate unacceptably high security risks.\n\nAs discussed in this report, our evaluation found that USPTO lacks up-to-date security plans and\ncurrent accreditations for its operational systems; in our opinion, USPTO should consider\ninformation security a material weakness. We recommended that USPTO determine whether\nthis area is a potential material weakness to be brought to the attention of the Department, which\nwould then determine whether it is significant enough to report to the President and Congress.\nAdditionally, we recommended that USPTO revise its information security policy to identify\ninformation security deficiencies that are material weaknesses pursuant to OMB Circular A-123\nand the Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA), and bring them to the Department\xe2\x80\x99s\nattention.\n\nUSPTO has agreed to revise its information security policy and will develop an administrative\norder that defines the process for identifying and reporting material weaknesses to the\nDepartment. USPTO officials told us that in reporting to the Department under OMB Circular\nA-123 and FMFIA for FY02, they are seriously considering identifying information security as a\nmaterial weakness, but have made no decision yet. Until all of USPTO\xe2\x80\x99s mission-critical\nsystems are accredited, we believe that information security should be reported as a material\nweakness.\n\nII. \t USPTO\xe2\x80\x99s Top Leadership Has Made a Commitment to Improving Information\n      Security\n\nA. \t Long-standing Information Security Weaknesses Require Senior Management Attention\n\nTo safeguard the privacy, confidentiality, and security of federal information, GISRA makes the\nhead of an agency responsible for ensuring that security plans for the agency\xe2\x80\x99s information\nsystems are in force throughout each system\xe2\x80\x99s life cycle and promoting security as an integral\ncomponent of that agency\xe2\x80\x99s business operations. Our evaluation found that, until recently,\ninformation security had not received adequate attention at USPTO. As a result, significant\nweaknesses exist in planning, budgeting, implementing, reviewing, and overseeing this area.\n\n\n\n\n                                                4\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                           September 2002\n\n\nSpecifically, we found a lack of follow-through in carrying out fundamental responsibilities,\nincluding\n\n   \xe2\x80\xa2\t   identifying, assessing, and understanding risks to IT assets;\n\n   \xe2\x80\xa2\t   determining security needs commensurate with levels of risk;\n\n   \xe2\x80\xa2\t   planning, implementing, and testing controls that adequately address risk;\n\n   \xe2\x80\xa2\t   promoting continued awareness of information security risk and providing appropriate\n        training;\n\n   \xe2\x80\xa2\t   continually monitoring and evaluating information security policy and the effectiveness\n        of related practices; and\n\n   \xe2\x80\xa2\t   integrating security into capital planning and investment control processes.\n\nSince the time of our evaluation, the Under Secretary of Commerce for Intellectual Property and\nDirector of USPTO has made a commitment to protect the bureau\xe2\x80\x99s information assets and is\ndevoting additional attention and resources to this area.\n\nB. \tThe Director Is Taking Action to Support Information Security Improvements\n\nIn our report, Additional Senior Management Attention Needed to Strengthen USPTO\xe2\x80\x99s\nInformation Security Program, we noted that the awareness, support, and proactive involvement\nof USPTO\xe2\x80\x99s senior management are essential to establishing the environment and ensuring the\nresources needed to promote an effective information security program. We recommended that\nthe USPTO Director ensure that senior management officials give information security high\npriority, sufficient resources, and their personal attention; work closely with the USPTO chief\ninformation officer (CIO) to improve information security; and be provided with explicitly\ndefined and documented information security responsibilities.\n\nThe Director agreed with these recommendations. According to the corrective action plan\nUSPTO submitted in response to the above-cited OIG report, the CIO regularly briefs the\nDirector and the Executive Committee on the status of efforts to strengthen information security.\nBecause this committee deals with all budget issues and reviews the strategic information\ntechnology plan, no significant IT investment can be made without its concurrence. Therefore,\nUSPTO has a structure in place to ensure that information security is planned for all significant\nIT investments and receives appropriate attention throughout an investment\xe2\x80\x99s life cycle.\n\nAdditionally, the Director has authorized the CIO to add six information security staff positions,\nhas reallocated FY02 funding for information security program improvements, and is seeking\nincreases in base spending for information security. The Director has also approved several\ninitiatives to revise information security operations and controls (see page 13) and to provide a\n\n                                                 5\n\n\x0cU.S. Department of Commerce                                                  Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                                     September 2002\n\n\nframework for improving overall compliance with the requirements for management and\noperational controls.\n\nUSPTO\xe2\x80\x99s new strategy, presented in The 21st Century Strategic Plan,3 further demonstrates the\nDirector\xe2\x80\x99s commitment to improving information security. Referring to the OIG reports on\nwhich our independent evaluation is based, the plan states that USPTO is not in compliance with\nthe law and that because information security has not yet become an integral part of USPTO\xe2\x80\x99s\nbusiness operations, fundamental IT security responsibilities are frequently not carried out. The\nplan concludes that the implication of not being compliant with GISRA is that neither internal\nnor external customers can trust USPTO\xe2\x80\x99s automated information systems and presents tasks,\nmilestones, and a schedule for correcting this problem that are consistent with our\nrecommendations. It also proposes using data replication for disaster recovery, an important\nelement of information security.\n\nIII. Incident Response Reporting and Handling Procedures Are Being Revised\n\nOMB Circular A-130 requires agencies to establish formal incident response mechanisms for\nevaluating and responding to security incidents in a manner that protects their own information\nand that of others who might be affected by the incident. GISRA expands on this policy by\nrequiring agencies to notify and consult with law enforcement officials, other offices and\nauthorities, and the General Services Administration\xe2\x80\x99s Federal Computer Incident Response\nCenter (FedCIRC) when such an incident occurs.\n\nWe found that USPTO\xe2\x80\x99s documentation of response procedures for information security\nincidents is consistent with OMB Circular A-130. Its documents appropriately identify roles and\nresponsibilities, define incident types and severity levels, and have reporting requirements.\nHowever, USPTO does not require that OIG and external security offices and authorities be\nnotified or consulted. For the period from October 2000 to October 2001, USPTO recorded\nseveral high-severity information security incidents, but did not report any to FedCIRC or OIG.\n\nWe recommended that USPTO revise its incident handling procedures to include the reporting of\nsuch events to both FedCIRC and OIG. USPTO agreed and will implement this\nrecommendation by reporting incidents to the Department, which will then relay the information\nto FedCIRC and OIG, as appropriate.\n\nIV. \t      USPTO Program Officials and CIO Need to Ensure That Management Controls\n           Are Fully Implemented\n\nGISRA requires agency managers and program officials to ensure that effective information\nsecurity policies and procedures are implemented throughout the life cycle of every IT system.\nThe agency CIO is required to assist other senior officials with their information security\nresponsibilities, as well as ensure that effective policies and procedures are implemented for the\nsystems that support the CIO\xe2\x80\x99s functions. Our evaluation found that program officials have not\n\n3\n    U.S. Patent and Trademark Office, June 3, 2002. The 21st Century Strategic Plan. Washington, DC: USPTO.\n                                                         6\n\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                                        September 2002\n\n\ngiven sufficient attention to the security of the information assets that support their operations.\nThe first two sections of this finding discuss the observations and recommendations we made as\na result of our fieldwork; the third section addresses the steps that USPTO has taken or planned\nin response.\n\nA. \t       Risk Assessments Have Not Been Completed, Security Plans Are Outdated, and\n           Controls Have Not Been Tested\n\nProgram officials are responsible for information security management controls\xe2\x80\x94assessing the\nrisks to the operations and assets over which they have authority, determining the level of\ninformation security to protect such operations and assets, and periodically testing and evaluating\ninformation security controls and techniques. As shown in Figure 2, at the time of our\nevaluation, 64 of USPTO\xe2\x80\x99s 78 operational systems4 (or 82 percent) lacked documented risk\nassessments, and the security plans for 24 of those systems (30 percent) were more than 3 years\nold. Systems supporting the missions of program officials and the CIO lacked up-to-date risk\nassessments and security plans. We recommended that USPTO conduct, document, and keep\ncurrent, risk assessments for all operational systems; develop up-to-date security plans for these\nsystems; and implement a program stipulating periodic reviews and evaluations of the\neffectiveness of information security controls.\n\n\n\n\n                    100%                                                        % Incomplete\n                     80%                                                        % Complete\n\n                     60%\n                     40%\n                     20%\n                      0%\n                           Risk Assessments Security Plans         Systems\n                                                                  Accredited\n\n\n\nFigure 2. Status of USPTO\xe2\x80\x99s Key Information Security Management Controls at Time of\n          OIG Evaluation (December 2001)\n\n\nB.      Systems Are Not Accredited\n\nOMB Circular A-130 requires management officials to formally authorize the use of a system\nbefore it becomes operational. This authorization, also referred to as accreditation, denotes that\nthe manager understands and accepts responsibility for the risks associated with putting the\nsystem into operation. The authorization is based on an assessment of the system\xe2\x80\x99s management,\n\n4\n    Since the time of our evaluation, USPTO has revised its system inventory.\n                                                             7\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                           September 2002\n\n\noperational, and technical controls. Because the security plan establishes and documents the\nsystem protection requirements and the security controls in place, it forms the basis for\nmanagement's decision to authorize processing. A system should be reauthorized following any\nsignificant change or at least every three years, and more often where risk and potential\nmagnitude of harm are high.\n\nAt USPTO, accreditation is a shared responsibility. The project manager, system development\nmanager, and information system security officer are responsible for preparing and submitting an\naccreditation package that includes a statement certifying that security controls, features, and\nprocedures are activated and working as required. The CIO and the program sponsor have\napproval authority for accreditation and determine whether system controls are adequate and\nlevel of risk is acceptable based on an evaluation of this package.\n\nWe found that none of USPTO\xe2\x80\x99s operational systems has a current authorization to process\n(accreditation), and until recently, little attention was given to accreditation. The lack of\naccreditation indicates that management has neither formally reviewed the controls nor explicitly\naccepted the associated risk. As a result, USPTO lacks assurance that its operational systems are\nadequately protected.\n\nWe recommended that USPTO prioritize all operational systems according to risk and\nimportance, accredit all high-risk systems by the end of fiscal year 2002, and accredit all\nremaining systems by the end of fiscal year 2003. We also recommended that accreditations be\nupdated at least every three years or whenever a significant change in a system occurs.\n\nC. USPTO Is Taking Steps to Strengthen Management Controls\n\nUSPTO responded to our recommendations by providing funding and developing approaches to\naddress the problems we identified. Specifically, the CIO has initiated a pilot project to establish\na certification and accreditation process for five information systems. As part of the process, risk\nassessments, security plans, and contingency plans are being prepared, and security tests and\nevaluations performed. The pilot will validate staffing and cost estimates for USPTO\xe2\x80\x99s\ninformation security program budget request. After the pilot is completed, the process will be\nextended to USPTO\xe2\x80\x99s other information systems.\n\nUSPTO preliminarily ranked its systems by risk and criticality, but concluded that it cannot\nachieve the accreditation schedule we had recommended. Instead, it plans to accredit all high-\nrisk systems by the end of FY03 and the remaining systems by the end of FY04. Because of the\nlarge amount of work USPTO has to perform to complete the accreditations and the importance\nof employing a meaningful and effective accreditation process, we agreed with this timetable.\nUSPTO does, however, intend to have up-to-date security plans for all of its systems by the end\nof FY02 and to update them on a 3-year cycle as part of certification and accreditation.\n\n\n\n\n                                                 8\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                          September 2002\n\n\n\n\nV. \t   Improvements Are Needed in USPTO-Wide Security Program Implementation, Life\n       Cycle Management, Training, and Capital Investment Planning\n\nGISRA requires agency CIOs to administer the information security program agencywide, a\nprocess that entails developing the security program, ensuring it is effectively implemented and\nmaintained, and training and overseeing personnel who have significant responsibilities for\ninformation security. Our evaluation found that USPTO needs improvements in all of these\nareas. The first four sections of this finding discuss the observations and recommendations we\nmade as a result of our fieldwork; the fifth section addresses the steps that USPTO has taken or\nplanned in response.\n\nA. \t   Policies and Procedures Exist but Often Are Not Implemented\n\nWe found that USPTO generally has documented policies and procedures in place that are\nconsistent with accepted security practices. However, as the foregoing discussions show, often\nthese policies and procedures are not implemented. Moreover, the CIO needs to work with other\nsenior agency officials to periodically evaluate the effectiveness of USPTO\xe2\x80\x99s information\nsecurity program, including testing control techniques.\n\nB.\t    Life Cycle Management Deficiencies Should Be Corrected\n\nSecurity Effects of Network Upgrade Were Not Well Planned\n\nDuring our evaluation of PACR, USPTO was transitioning from its local area network (LAN),\nPTONet, to the more capable and technologically current PTONet II. Because USPTO\xe2\x80\x99s LAN\nsupports patent application processing, the transition required changes to PACR network\ncomponents and related software.\n\nHowever, these changes were not well planned and did not adequately consider network security\nimplications. Just prior to the initial transition step for PACR, USPTO was unable to identify\nrequired software changes and necessary modifications to firewall rules. Furthermore, the\ninformation system security officer was unaware that these changes were about to be made, even\nthough he was also the acting director of the Office of Information Systems Security, which is\nresponsible for reviewing and authorizing proposed firewall changes.\n\nUSPTO issued draft procedures for implementing PACR network and firewall changes after\ninitial transition attempts failed. Since the conclusion of our fieldwork, USPTO successfully\ncompleted the transition of PACR to PTONet II. USPTO needs to better plan and coordinate IT\nchanges that affect the security of interconnected systems.\n\n\n\n\n                                                9\n\n\x0cU.S. Department of Commerce                                                  Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                                     September 2002\n\n\nDocumentation Was Inaccurate\n\nSystem documentation should be current and accurate to support testing, training, modification,\nand maintenance. The quality and utility of supporting documentation is a primary measure of\nthe health and well-being of a software project.5\n\nIn our review of PACR, we found that although security plans had been developed, USPTO was\nunable to provide official sign-off pages or documented Technical Review Board6 action to\nindicate that any of these plans had been officially approved. Moreover, in examining the\navailable system documentation for our PACR review and attending briefings provided by\nUSPTO, we found that\n\n     \xe2\x80\xa2\t   the documentation did not reflect the current system;\n\n     \xe2\x80\xa2\t   network topology diagrams, four in all, had the same issue date but each differed from\n          the others and none accurately described the then-current or planned topology; and\n\n     \xe2\x80\xa2\t   discrepancies existed between the network topology diagrams, equipment lists, and points\n          of contact specified in the High-level Architecture document and Operational Support\n          Plan.\n\nIn looking at USPTO\xe2\x80\x99s management system for IT documentation, we found problems with\nsecurity documentation for other systems as well. We recommended that documentation be\nupdated to reflect the current operational system, and a process to track document approval be\nestablished and enforced.\n\nC.        Information Security Awareness, Training, and Education Need Improvement\n\nUSPTO\xe2\x80\x99s information security awareness program covers the areas identified by OMB Circular\nA-130 and other applicable guidance; at the time of our fieldwork however, awareness training\nwas a one-time occurrence and only for new employees. Follow-on security awareness\ninformation is provided via the static log-on screen-warning banner with references to the Rules\nof the Road Services Guide. OMB Circular A-130 notes that attention to security tends to\ndissipate over time. NIST guidance states that a stimulus used repeatedly will eventually be\nselectively ignored. Therefore, we recommended that USPTO provide periodic refresher training\nto all employees to assure that they continue to understand and abide by the applicable rules.\n\nIn addition, USPTO does not have an adequate training and education program for personnel\nwho need specialized security skills and competencies. Information security officers and other\nemployees who have security responsibilities receive some relevant training, but that training is\nnot sufficient, and USPTO lacks a formal program for giving employees security training\n5\n  Fairley, R. 1985. Software Engineering Concepts. New York: McGraw-Hill, p. 220.\n6\n  The Technical Review Board conducts reviews of work products and plans during the life cycle of an information\nsystem. The board is chaired by the deputy CIO and attended by the systems development manager for the project\nfrom the CIO\xe2\x80\x99s office and the project manager from the project sponsor\xe2\x80\x99s business unit.\n                                                       10\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                          September 2002\n\n\napplicable to their job function. Without such a program, USPTO cannot ensure that employees\nwho have security responsibilities, including its security professionals, understand and apply\ninformation security practices effectively. We recommended that USPTO establish a formal\ntraining program that gives all personnel who have significant security responsibilities an\nunderstanding of those responsibilities and of information security risks.\n\nD. \t   Information Security Requirements Should Be Identified in Capital Asset Plans and\n       Linked to Security Cost Estimates\n\nUnder GISRA, agencies must identify and budget for security measures and resources needed to\nprotect IT investments, starting from the earliest planning stages and throughout the investment\nlife cycle. OMB Circular A-11, which governs preparing and submitting budget estimates,\nstipulates that security costs be presented in Exhibit 53, \xe2\x80\x9cAgency IT Investment Portfolio,\xe2\x80\x9d as a\npercentage of the total system cost or project investment and that capital asset plans be provided\nin Exhibit 300, \xe2\x80\x9cCapital Asset Plan and Business Case,\xe2\x80\x9d indicating whether the project\xe2\x80\x99s security\nmeets GISRA requirements and describing the security and privacy measures to be used.\n\nHowever, USPTO did not identify security costs for any individual system in its FY02 or FY03\nbudget submissions. Even if a security funding request had been included, the amount would\nhave been questionable because USPTO had not conducted an accurate, thorough analysis of\ncurrent security needs or of the cost of satisfying them. Furthermore, FY02-FY07 budget\nformulation guidance provided by USPTO\xe2\x80\x99s Office of the Chief Information Officer did not\ncontain instructions for incorporating security costs into budget formulations.\n\nA lack of support within USPTO for information security funding has been cited as the reason\nfor deficiencies in such areas as system accreditations and training. We believe that poorly\nsubstantiated budget requests have contributed to this problem. Without sound analysis, USPTO\ncannot justify funding needed to plan and implement required security improvements. We\nrecommended that USPTO explicitly identify information security requirements and costs on a\nsystem-specific basis in funding requests to OMB\n\nE. \t   USPTO Is Taking Action to Improve Security Program Implementation, Life Cycle\n       Management, Training, and Capital Investment Planning\n\nIn addition to strengthening management controls (see Finding IV), the CIO is working to\nimprove overall information security operations by restructuring the Office of Information\nSystem Security and enhancing other areas we identified as problematic: (1) policies that govern\ninformation security practices, (2) programs for training employees and contractors, and\n(3) processes for budgeting and planning for IT capital assets.\n\nOffice of Information System Security Restructuring. The CIO is separating policy and\ncompliance functions from security operations\xe2\x80\x94a move that should increase the office\xe2\x80\x99s\neffectiveness\xe2\x80\x94and is adding six new staff positions. Pending adequate staffing, the office has\nbeen headed by an acting IT security program manager who reports directly to the CIO and is\nresponsible for managing USPTO\xe2\x80\x99s information security improvement efforts. To remain in\n                                               11\n\n\x0c  U.S. Department of Commerce                                          Final Inspection Report OSE-15250 \n\n  Office of Inspector General                                                             September 2002\n\n\n  compliance with GISRA, this senior information security official should report to the CIO on a\n  permanent basis.\n\n  Policies. In order to provide the basic foundation for information security, the CIO is preparing\n  an administrative order that will describe USPTO\xe2\x80\x99s information security policies and clarify staff\n  roles and responsibilities. The CIO has also begun working with information security program\n  managers to develop procedures for periodically evaluating the effectiveness of information\n  security controls. Procedures for controlling security documentation are to be revised by the end\n  of the calendar year.\n\n  Training. All USPTO employees and contractors completed security awareness training as of\n  June 30, 2002. A working group is developing a plan for providing information security training\n  that is specific to the individual responsibilities of all USPTO employees, with training for\n  managers and technical personnel to begin in late September 2002. A database has been\n  established to track employee training.\n\n  Budgeting and Planning. An information security budget has been developed that allocates \n\n  funding for many needed improvements including \n\n       \xe2\x80\xa2 certification and accreditation,\n       \xe2\x80\xa2 self-assessments using the NIST Self-Assessment Guide,\n       \xe2\x80\xa2 compliance testing of a sample of information systems,\n       \xe2\x80\xa2 design and implementation of a host-based intrusion detection system,\n       \xe2\x80\xa2 contractor support for correction of information system vulnerabilities, and\n       \xe2\x80\xa2 information security training for users, managers, and technical personnel.\n\n   The Office of the CIO\xe2\x80\x99s budget system has been enhanced so that information security costs can\n   be budgeted and tracked for each system, and funding for information security has been\n   included in each system\xe2\x80\x99s budget plan.\n\nVI. \t   Information Security Requirements Need to Be Included in USPTO\xe2\x80\x99s Information\n        Technology Service Contracts\n\n  As outsourcing of IT services increases, the risk of security violations by contractors\xef\xa3\xa7whether\n  inadvertent or deliberate\xef\xa3\xa7also grows. In last year\xe2\x80\x99s GISRA report, we identified problems with\n  information security in IT service contracts, most notably, a lack of sufficient policy and\n  guidance to ensure that contract documents for IT services contain adequate information security\n  provisions. In FY02, we examined this weakness in greater detail: we reviewed 40 of the\n  Department\xe2\x80\x99s IT service contracts, including some awarded by USPTO, and found that\n  provisions to safeguard sensitive but unclassified systems and information were either\n  insufficient or nonexistent. Based on the results of this sample, it is likely that the majority of IT\n  service contracts throughout the Department lack needed information security provisions.\n  Contracting officers and other acquisition team members need sufficient guidance and training,\n  as well as support from technical experts and program officials, to ensure that they prepare and\n  administer IT service contracts in a way that makes clear and enforceable the contractor\xe2\x80\x99s\n  responsibility and accountability for safeguarding the government\xe2\x80\x99s information assets.\n                                                   12\n\n\x0c U.S. Department of Commerce                                        Final Inspection Report OSE-15250 \n\n Office of Inspector General                                                           September 2002\n\n\n We recommended that the Department of Commerce\xe2\x80\x99s Chief Financial Officer and Assistant\n Secretary for Administration take the necessary actions to ensure that all contracting offices\n within Commerce, including USPTO, include adequate information security provisions in all IT\n service contracts in order to protect the Department\xe2\x80\x99s sensitive IT information and assets.\n Specifically, we urged the Department to establish standard contract provisions for safeguarding\n the security of unclassified systems and to disseminate clear, detailed policy for acquiring these\n systems and services.\n\n We further recommended that such policy require contracting offices\xe2\x80\x94with assistance from the\n Department\xe2\x80\x99s Office of the CIO\xe2\x80\x94to assess the information security risk associated with the\n proposed service or system during the acquisition planning phases; identify and include\n appropriate information security requirements in specifications and work statements; monitor\n contractor performance to ensure compliance with information security requirements; and\n terminate the contractor\xe2\x80\x99s access to systems and networks once the contract is closed out. We\n also advised the Department to review all current contracts and solicitations for IT services to\n determine whether information security provisions should be added to them, even though such\n revisions may increase contract costs, and to ensure that all procurement personnel have\n appropriate training in information security. The CFO agreed with our recommendations and is\n taking actions to implement them.\n\n Officials in USPTO's Office of Procurement told us that they generally agree with the findings\n and recommendations contained in our report pertaining to ensuring that adequate information\n security provisions are included in all IT service contracts and providing appropriate training in\n information security. They indicated, however, that due to USPTO's unique status, it may not be\n subject to some of the specific documents and policies identified in the report and intend to get\n input from the Office of the CIO. The Offices of Procurement and CIO need to work together,\n along with program officials, to ensure that adequate information security requirements are\n included and followed in all of USPTO's IT service contracts.\n\nVII. \t USPTO\xe2\x80\x99s Corrective Action Plan Establishes a Solid Foundation for Improving\n       Information Security\n\n In FY02, USPTO completely reworked its GISRA corrective action plan so that it lays out a\n cohesive roadmap for improving information security. USPTO\xe2\x80\x99s plan is organized by the three\n control areas\xe2\x80\x94management, operational, and technical\xe2\x80\x94identified in NIST\xe2\x80\x99s Security Self-\n Assessment Guide. The plan goes beyond the recommendations in our reports to identify\n additional actions needed in each control area for achieving a comprehensive information\n security program. Actions are added to the plan as new requirements are identified.\n\n While USPTO has completed or is expecting to meet the schedule for about 80 percent of the\n milestones in its action plan, some important milestones are slipping. These include developing\n the administrative order on information security policies, completing the certification and\n accreditation pilot project, developing system-level procedures, and preparing a disaster recovery\n plan for USPTO\xe2\x80\x99s infrastructure.\n\n\n                                                 13\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-15250 \n\nOffice of Inspector General                                                          September 2002\n\n\nWe believe, however, that USPTO is making a determined effort to improve its information\nsecurity program and meet its milestones. Some of the delay is attributable to USPTO\xe2\x80\x99s attempt\nto instill information security processes that will yield quality products and provide the needed\ndegree of assurance. We anticipate that USPTO\xe2\x80\x99s rate of progress will increase as it hires a\npermanent IT security manager, fills its new information security positions, and continues to give\nsenior management attention to this area.\n\n\n\n\n                                               14\n\n\x0c"